QUOTE: Modern operating systems don’t make life easy for malware coders. Features like Data Execution Prevention and non-executable memory pages ruin schemes that involve injecting malicious code disguised as data. Modern malefactors have turned to a technique called Return-Oriented Programming (ROP) to get around these restrictions. However, researchers Michalis Polychronakis and Angelos D. Keromytis from Columbia University have invented a way to detect this sneaky technique.

Instead of trying to inject malicious code into the system, the malware writers find the CPU instructions they want in existing processes, typically always-loaded Windows processes. They slip in a list that contains the in-memory addresses of these code chunks, called “gadgets“. By forcing execution of the gadgets in a specific order, they build an exploit without ever placing executable code on the system.